PAS 730.3.B.2.4 April 24, 2012 12-PAS-012(R)



Similar documents
Master Document Audit Program. Business System Deficiency Report Assignment. Version No. 1.3, dated June 2014 B-1 Planning Considerations

Master Document Audit Program. Version 1.5, dated September 2015 B-01 Planning Considerations

Post Award Accounting System Audit at Nonmajor Contractors

Master Document Audit Program. Version 1.8, dated November B-01 Planning Considerations

Government Accounting, Estimating, and Billing Systems: Pitfalls and Answers

Master Document Audit Program. Version 1.14, dated November 2015

DEFENSE CONTRACT AUDIT AGENCY DEPARTMENT OF DEFENSE 8725 JOHN J. KINGMAN ROAD, SUITE 2135 FORT BELVOIR, VA

Post Award Accounting System Audit at Nonmajor Contractors

How To Audit A Government Contractor

DCAA Perspective: Key Subcontracting Practices for Maintaining Approved Business Systems Accounting System and Estimating System

Accounting System Requirements

January (1) CHAPTER 5. Table of Contents

What Exactly is an Acceptable Accounting System?

October 14, (1)

Review of Audits Issued by the Defense Contract Audit Agency in FY 2012 and FY 2013

Activity Code Material Management and Accounting System (MMAS) Version 9.10, dated September 2015 B-1 Planning Considerations

MAAR 13 Purchase Existence and Consumption

MEMORANDUM OF UNDERSTANDING Between Defense Contract Audit Agency and Department of Homeland Security

Pre-Award Accounting Systems

Government Contractor Business Systems and Overview of System Assessments

DCAA Audit R 4 Rights to Records, Requirements & Remedies

Master Document Audit Program. or Interviews. Version 3.21, dated April 2016 B-1 Planning Considerations

The Devil is in the Details Compliance with the Business Systems Rule

Master Document Audit Program. Version 7.4, dated November 2006 B-1 Planning Considerations. Purpose and Scope

Master Document Audit Program

Strategic Implications of the New DFARS Business System Rule Co-presented by Venable LLP and Argy, Wiltse & Robinson June 12, 2012

WELCOME. Accounting Systems for DOD Contracts

DCAA Initiatives/Current Issues

MEMORANDUM OF UNDERSTANDING Between Defense Contract Audit Agency and Department of Homeland Security

INSTRUCTION NUMBER August 22, 2008

Evaluation of Defense Contract Management Agency Actions on Reported DoD Contractor Business System Deficiencies

Master Document Audit Program. Activity Code Compliance Audit CAS 409 Version 5.16, dated November 2015 B-1 Planning Considerations

September 16, (1) CHAPTER 6

Preaward and Post Award Accounting System Audits. November 17, 2011 Pikes Peak NCMA Roland Wick

NCMA MEETING PREPARING FOR A DCAA PRICE PROPOSAL AUDIT JUNE 8, 2011

Preaward Survey of Prospective Contractor Accounting System

July 6, (1) CHAPTER 11

Master Document Audit Program. Activity Code Compliance Audit CAS 404 Version 5.15, dated November 2015 B-1 Planning Considerations

Master Document Audit Program. Version 4.7, dated November 2015 B-1 Planning Considerations

Department of Defense Inspector General OAIG-Audit Policy and Oversight ATTN: APO, Suite 11D Mark Center Drive Alexandria, VA

DCAA Our Role. Laura Cloyd-Hall, CPA, MBA John D. Mollohan II, CPA, CFE. Page 1. DCAA : Celebrating 50 Years of Excellence

Accounting System Requirements

DEFENSE CONTRACT AUDIT AGENCY 8725 JOHN J. KINGMAN ROAD, SUITE 2135 FORT BELVOIR, VA PPS June 26, 2012 INFORMATION FOR CONTRACTORS

PAC B.03/ April 24, PAC-005(R) MEMORANDUM FOR REGIONAL DIRECTORS, DCAA HEADS OF PRINCIPAL STAFF ELEMENTS, HQ, DCAA

May 11, (1) CHAPTER 2. Table of Contents

INTERNAL CONTROL MATRIX FOR AUDIT OF BILLING SYSTEM CONTROLS Version No. 4.2 August 2006

DCAA and the Small Business Innovative Research (SBIR) Program

Basic Financial Requirements for Government Contracting

Presenting the Numbers: Accounting Systems for Government Contractors

GAO DEFENSE CONTRACT AUDITS. Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports

Department of Defense INSTRUCTION

Contractor Purchasing System Review (CPSR)

DOD's Business Systems Rule: The Challenge Measuring Government Contractor Compliance Against Subjective Criteria and Perceived Risks

DCAA Guidelines. How the SBIR firm can work effectively with the Defense Contract Audit Agency

October 1, (1)

Defense Contract Audit Agency NAVAIR Small Business Aviation Technology Conference

REPORTING REQUIREMENTS AND SAMPLE REPORTS

Master Document Audit Program. Activity Code Cost Impact Statement (Price Adjustment) Version 4.17, dated April 2016 B-1 Planning Considerations

THE DCAA AUDIT BECOMING DCAA COMPLIANT

CHAPTER 8. Table of Contents

DEFENSE CONTRACT AUDIT AGENCY DEPARTMENT OF DEFENSE 8725 JOHN J. KINGMAN ROAD, SUITE 2135 FORT BELVOIR, VA

Is Your Accounting System Making the Grade? Attributes of an Acceptable Accounting System April 26, 2012

REAL-TIME LABOR EVALUATIONS. The views expressed in this presentation are DCAA's views and not necessarily the views of other DoD organizations

Audit Expectations for Small Businesses

DCAA Contract Audit Manual

January (1) CHAPTER 6. Table of Contents

QUALITY CONTROL REVIEW REPORT

How to Survive a DCAA Audit

GAO DCAA AUDITS. Allegations That Certain Audits at Three Locations Did Not Meet Professional Standards Were Substantiated

ARMED SERVICES BOARD OF CONTRACT APPEALS

Chapter 6 Labor-Charging Systems and Other Considerations

U.S. Department of Energy Office of Inspector General Office of Audit Services. Audit Report. Selected Energy Efficiency and Renewable Energy Projects

CHAPTER Preaward Surveys of Prospective Contractor Accounting Systems

DCAA Audits of Compliance Systems and the Implications of Changes in the False Claims Act for Universities

Statement of Mr. William H. Reed Director, Defense Contract Audit Agency Senate Armed Services Committee April 19, 2007

INTERNAL CONTROL MATRIX FOR AUDIT OF LABOR AND ACCOUNTING CONTROLS Version No. 4.2 June 2006

SUBCHAPTER G CONTRACT MANAGEMENT PART 842 CONTRACT ADMINISTRATION AND AUDIT SERVICES

Direct and Indirect Labor. The Scenario

Hotline Complaint Regarding the Defense Contract Audit Agency Examination of a Contractor s Subcontract Costs

DOECAA Spring Conference Presentation. Cost Reimbursement Contracting Issues - DOE Proposed Business System Rule

CHAPTER 23. Contract Management and Administration

Certificate of Accounting, Billing and Property System Adequacy

Testimony. Patrick J. Fitzgerald Director, Defense Contract Audit Agency. before the. Commission on Wartime Contracting In Iraq and Afghanistan

Transcription:

DEFENSE CONTRACT AUDIT AGENCY DEPARTMENT OF DEFENSE 8725 JOHN J. KINGMAN ROAD, SUITE 2135 FORT BELVOIR, VA 22060-6219 IN REPLY REFER TO April 24, 2012 MEMORANDUM FOR REGIONAL DIRECTORS, DCAA DIRECTOR, FIELD DETACHMENT, DCAA HEADS OF PRINCIPAL STAFF ELEMENTS, HQ, DCAA SUMMARY The purpose of this memorandum is to provide general guidance on DCAA s new approach and revised policy for auditing major and other large contractor business systems and specific guidance on auditing contractor accounting systems for compliance with the criteria at DFARS 252.242-7006, Accounting System Administration (see DFARS 242.7503 for the types of contracts to which this clause applies). New Accounting System audit programs and related documents are now being delivered in APPS. Topics addressed in this guidance include: Audit Approach Definitions and Underlying Concepts Evaluating Identified Noncompliances Reporting Results Testing Relevant Data and Cycling of Accounting System Audits Reporting Significant Deficiencies Identified in Other Than Business Systems Audits Business System Follow-Up Audits The audit programs for nonmajor contractor business systems are being updated to reflect the DFARS business system criteria and will be issued shortly. BACKGROUND Over the last few years, we have been performing a comprehensive reassessment of the process for evaluating and reporting on contractor business systems. This reassessment included the involvement of numerous pilot sites, regional focal points to assist the FAO pilot sites in the implementation of the pilot audit programs, and a strategic plan ad hoc committee on business systems. This work has resulted in the development of several new audit programs and related documents, which reflect a new approach and revised policy for DCAA s audit of major contractor business systems for compliance with the DFARS rule on contractor business systems, issued on February 24, 2012. MRD 12-PPS-009(R), dated March 28, 2012, provided general information on that rule and DCAA s responsibilities for auditing the business systems defined in the rule. This memorandum provides guidance on the audit of the contractor s

accounting system. However, the approach and general concepts also apply to audits of other business systems. Specific guidance on the other DFARS business systems for which DCAA has audit responsibilities is still being developed and will be issued at a later date. GUIDANCE Audit Approach New audit programs and related documents for the examination of the contractor s compliance with the DFARS 252.242-7006 accounting system criteria are now being delivered for the Accounting System Audit (11070), Control Environment Audit (11070), and the Billing Audit (11010), and are available on the DCAA Intranet. The 11070 Accounting System Audit will serve as a controlling assignment for the audit of the contractor s compliance with all 18 DFARS 252.242-7006 system criteria for an acceptable accounting system. Some of those criteria relate to sub-systems of the overall accounting system, such as billing, labor/ timekeeping, and the control environment. Therefore, compliance with some of the criteria will be examined in separate audit assignments. Some of those assignments will be established specifically for that purpose; for example, the 11070 Control Environment Audit covers the criterion at DFARS 252.242-7006(c)(1) and the 11010 Billing Audit covers the criteria at DFARS 252.242-7006(c)(15)(i) and (16)). Additionally, DCAA performs other audit assignments that include procedures that can be used to test compliance with some of the DFARS system criteria (e.g., labor floor checks/interviews MAAR 6, purchase existence and consumption MAAR 13 and CAS audits). The applicable work done in those other assignments should be referenced and incorporated into the Accounting System Audit assignment as noted in the audit program. Separate audits of the Labor Accounting System and Indirect and Other Direct Cost System (Activity Codes 13010 and 14980) will no longer be performed as the relevant procedures from those audits have been incorporated into the audit program for the 11070 Accounting System Audit. Corrective actions related to any outstanding significant deficiencies/material weaknesses from those audit assignments will be audited using the process discussed in the Business System Follow-Up Audits section below. The Other Audit Guidance (OAG) internal control matrixes for those and other business systems will continue to be available on the DCAA Intranet as reference material and to assist auditors in developing audit procedures for business system audits, as needed. The new approach for auditing contractor business systems as reflected in the new accounting system, control environment, and billing audit programs includes contractor system demonstrations and walk-throughs by the applicable contractor personnel of the various processes that ensure compliance with the DFARS business system criteria. These contractor demonstrations, which are performed during the risk assessment, are an essential element for obtaining and documenting the understanding of the relevant internal controls. In addition, because business system audits are generally large and complex, the revised audit programs are designed to use a team approach that include team discussions to help facilitate the audits and provide for a better understanding of the contractor s accounting system and environment. 2

The objective of the new approach to auditing contractor business systems is to determine if the contractor is in compliance with the DFARS system criteria. Therefore, the business system audits will opine on the contractor s compliance with the DFARS criteria rather than on the effectiveness of the contractor s internal controls or the adequacy of the contractor s business systems. However, the business system audit programs include some tests of controls. Therefore, auditors may be able to rely on the tests of controls performed in the business system audits to reduce substantive testing in a specific audit area in other related audits if the controls for that audit area were tested and found effective and are current and relevant to the other audit being performed. If the auditor relies on those tests of controls, the auditor should reference the business system assignment and incorporate or reference working papers from that assignment to clearly document the specific procedures that provide sufficient evidence of the operating effectiveness of the controls. Definitions and Underlying Concepts DFARS 252.242-7005(a) defines significant deficiency as: A shortcoming in the system that materially affects the ability of officials of the Department of Defense to rely upon information produced by the system that is needed for management purposes. A significant deficiency based on the DFARS definition also will generally represent a material weakness in internal control as defined in the auditing standards. Although, the objective of our business system audit is to determine the contractor s compliance with the DFARS criteria and to report significant deficiencies based on the DFARS definition of a significant deficiency, GAGAS require auditors to include in the audit report material weaknesses based on the auditing standards definitions (GAGAS 6.33 in the 2007 GAGAS Revision and GAGAS 5.22 in the 2011 GAGAS Revision). Therefore, the term significant deficiency/material weakness as used throughout the remainder of this MRD refers to the DFARS definition of a significant deficiency and the auditing standards definition of a material weakness. GAGAS 5.22 in the 2011 GAGAS Revision refers to AT 501.07 of the AICPA Statements on Standards for Attestation Engagements (SSAE) for the definition of material weakness. However, since the AT 501.07 definition is related to internal control over financial reporting and the DFARS criteria are related to internal control over compliance, we have modified the definition of material weakness as follows: A material weakness related to internal control over compliance is: A deficiency, or combination of deficiencies, in internal control over compliance such that there is a reasonable possibility that a material noncompliance with a compliance requirement (e.g., applicable Government contract laws and regulations) will not be prevented, or detected and corrected on a timely basis. GAGAS also require auditors to include in the report deficiencies, or a combination of deficiencies, in internal control that are less severe than material weaknesses (and, hence, also less severe than a significant deficiency as defined by the DFARS), yet important enough to merit the attention of those charged with governance (i.e., responsible contractor management officials). 3

Evaluating Identified Noncompliances The contract clause for each DFARS business system provides specific criteria with which an acceptable system must comply. The clause at DFARS 252.242-7006, Accounting System Administration provides 18 criteria. Compliance with those criteria provides reasonable assurance that applicable laws and regulations are complied with; the accounting system and cost data are reliable; the risk of misallocations and mischarges is minimized; and the contract allocation and charges are consistent with billing procedures. A material noncompliance with any one of the 18 criteria indicates a significant deficiency/material weakness exists and that the contractor has not complied in all material respects with the DFARS criteria. The auditor should use the guidelines discussed below to evaluate whether noncompliances with the DFARS criteria identified during the audit are material noncompliances; and, therefore, significant deficiencies/material weaknesses, either individually or in combination. If one or more significant deficiency/material weakness exists, the audit report will state that the contractor did not comply in all material respects with the DFARS system criteria for the period covered by the audit. Auditors should be aware that multiple noncompliances affecting the same criteria may, in combination, constitute a material noncompliance; and, therefore, a significant deficiency/material weakness. Although individually such noncompliances may not be material, collectively the noncompliances are material. Auditors may identify instances of noncompliances in the contractor s business system that do not rise to the level of a material noncompliance; and, therefore, are less severe than a significant deficiency/material weakness, but are important enough to merit the attention of the responsible contractor management officials so that appropriate action can be taken. These instances of noncompliances do not materially affect the Department s ability to rely upon the information produced by the system; however, as discussed above, GAGAS require that they be included in the report. Therefore, if there are no significant deficiencies/material weaknesses but there are instances of noncompliance that warrant the attention of the responsible contractor management officials, the audit report will state that the contractor complied in all material respects with the DFARS system criteria for the period covered by the audit and the conditions will be described in the results of audit section, generally following the opinion paragraph. The business system audit report shells include the appropriate language and presentation. In evaluating whether a noncompliance is severe enough to be considered a material noncompliance and a significant deficiency/material weakness, the auditor should consider the likelihood that the identified noncompliance with the DFARS criteria will result in noncompliance with other applicable Government contract laws and regulations (e.g., with FAR Subpart 31.2, CAS, or applicable requirements in FAR Part 15) and the magnitude of those potential other noncompliances. If there is a reasonable possibility that the identified noncompliance with the DFARS criteria will result in a material noncompliance with other applicable Government contract laws and regulations, either individually or in combination, it is a significant deficiency/material weakness. Some of the specific factors that auditors should consider include: 4

The nature and frequency of the noncompliance with the DFARS criteria identified with appropriate consideration of sampling risk (i.e., the risk that the conclusion based on the sample is different than it would be had the entire population been tested). Whether the noncompliance with the DFARS criteria is material considering the nature of the compliance requirements. The root cause of the noncompliance. (Understanding why the noncompliance occurred will help to determine if it is systemic and significant.) The effect of compensating controls. The possible future consequences of the noncompliance with the DFARS criteria. Qualitative considerations, including the needs and expectations of the report s users. For Government contract cost issues, qualitative considerations also include serving the public interest and honoring the public trust. The following indicators of a significant deficiency/material weakness also should be considered: History of noncompliances found in contractor assertions (e.g., public vouchers, incurred cost submissions, proposals) requiring correction. Identification of material noncompliances with applicable Government contract laws and regulations (e.g., with FAR Subpart 31.2, CAS, or applicable requirements in FAR Part 15) either in the business system audit or another audit. The audit team should use appropriate levels of materiality considering the public accountability of entities receiving Government funds, and the visibility and sensitivity of Government programs. Materiality levels in such cases should generally be lower than when Government funds and programs are not involved (GAGAS 6.28 in the 2007 GAGAS Revision and GAGAS 5.46 in the 2011 GAGAS Revision). In addition, it is not necessary to demonstrate an actual monetary impact to the Government (e.g., unallowable or unallocable costs, or that the price the Government negotiated for a contract was unreasonable) to report a significant deficiency/material weakness. There only needs to be a reasonable possibility that the noncompliance with the DFARS criteria will result in a material noncompliance with other applicable Government contract laws and regulations, thus materially affecting the reliability of the data produced by the system. The audit team should be able to develop the six elements of a finding as discussed in CAM 10-409 for each noncompliance with the DFARS criteria that the team determines is a significant deficiency/material weakness. This includes explaining the adverse impact to the Government (i.e., the harm or potential harm to the Government). If the audit team determines that a noncompliance is not a significant deficiency/material weakness, the team should consider whether prudent officials, having knowledge of the same facts and circumstances, would likely reach the same conclusion (i.e., that the official would conclude that he/she can rely on the information produced by the contractor s system in the conduct of his/her duties and responsibilities). 5

Reporting Results Upon completion of the separate Billing Audit and Control Environment Audit subassignments, the results will be summarized in a memorandum for record (MFR) to be reported as a part of the 11070 Accounting System Audit. If a significant deficiency/material weakness is identified as a result of those audits, auditors should generally not wait for the completion of the Accounting System Audit to report the deficiency unless that report is expected to be issued in the near future. Instead, a deficiency report should be issued under the Billing Audit and Control Environment Audit sub-assignment number using the deficiency report shell (Business System Deficiency Report.doc), which can be added in APPS through the Library Access. The issuance of a deficiency report does not replace the MFR for the Billing Audit and Control Environment Audit sub-assignments. The overall results of those sub-assignments should be documented in an MFR. Because of the importance of timely communication of deficiencies, it also may be appropriate in some cases to issue an audit report on a significant deficiency/material weakness identified in an in-process business system audit (e.g., prior to completion of the Billing Audit or Control Environment Audit sub-assignment). In those cases, the auditor will not issue the deficiency report under the Billing Audit or Control Environment Audit sub-assignment number but instead will set up a separate assignment using the new 11070 Deficiency Report subactivity. The new subactivity code also is used to report deficiencies identified in other than business systems audits as discussed later in this guidance. The Deficiency Report Assignment should not be established until there is sufficient evidence that a significant deficiency/material weakness exists and the elements of a finding for the deficiency are fully developed in the originating inprocess business system audit (see CAM 10-409). The procedures in CAM 4-304 for providing the contractor with the results of the audit and obtaining the contractor s views on the findings and recommendation should be followed for deficiency reports. In addition, auditors are reminded that they should communicate with the contractor and the contracting officer throughout the audit regarding significant issues (see CAM 4-105 and 4-303.1). All deficiencies identified during the course of the audit of the accounting system (including the Billing Audit and Control Environment Audit sub-assignments) will be included in the final accounting system audit report, including those previously reported in separate deficiency reports as discussed in the two paragraphs above. The audit report number, date of the deficiency report, and the status of the deficiencies should be noted in the Statement of Conditions and Recommendations for any previously reported significant deficiencies/ material weaknesses. The Statement of Conditions and Recommendations should place the auditor s findings in perspective by describing the nature and extent of the issues being reported and the extent of work performed that resulted in the finding. To give the contracting officer a basis for judging the prevalence and consequences of the finding auditors should, as appropriate, relate the instances of noncompliance identified to the population or the number of cases examined. The presentation should include the two main 6

subheadings Condition and Recommendation. The first five elements of an audit finding discussed CAM 10-409 (condition, criterion, cause, fact, and effect) should be addressed under the subheading Condition to present a logical, convincing case. Those individual elements do not need to be presented under separate subheadings. The condition statement should cite the specific DFARS 252.242-7006 criterion that was found to be noncompliant (e.g., DFARS 252.242-7006(c)(1)). The condition statement should clearly explain how the finding demonstrates noncompliance with the specific criteria. Recommendations for corrective actions to eliminate the cause of the condition should be included under the subheading Recommendations. DCAA reports on contractor business systems will no longer recommend that the contracting officer disapprove affected portions of the system, or pursue suspension of a percentage of progress payments or reimbursement of costs. The DFARS contract clause provides specific procedures for the contracting officer s disapproval of the system and a mechanism for the contracting officer to withhold a percentage of payments when significant deficiencies are identified; therefore, such a recommendation is not needed. The audit report shell provides the appropriate standard audit report language. Testing Relevant Data and Cycling of Accounting System Audits The new accounting system audit report will report on the contractor s compliance with the system criteria during a period of time, consistent with the attestation reporting standards (AT 601.55b). Therefore, to provide a reasonable basis for the conclusion expressed in the report, auditors must perform sufficient testing of data relevant to the period covered by the audit. What constitutes sufficient testing is a matter of professional judgment based on the risk assessment and taking into consideration factors such as the nature and frequency of the control or operation involved and the volume of transactions to which it is applied. Auditors should generally perform testing of data generated by the system throughout the period covered by the audit. In addition, timely reporting is essential in providing relevant information to contracting officers and other users of our audit reports. Timely reporting also allows the contractor to take prompt corrective action to prevent noncompliances with other applicable Government contract laws and regulations so that officials of the Department of Defense can rely on information produced by the system. The more current the information in the audit report, the more helpful it will be to the users. Therefore, every effort should be made to plan and perform the audit and issue the audit report within a timeframe that avoids the elapse of excessive time between the period of the transactions covered by the audit and the date of the report. This will include the development and use of a milestone plan, as discussed in MRD 12-PPS-001, Audit Guidance on Milestone Plans, dated January 25, 2012. The accounting system and control environment audits will be performed every third year based on the period covered by the audit. For example, if the last audit covered the 12 months ended December 31, 2011, the next audit in the cycle should cover the 12 months ended 7

December 31, 2014. However, if significant changes occur in the contractor s accounting system in the interim (including sub-systems), or real-time audits identify significant deficiencies/ material weaknesses that warrant an early review, the system audit should be performed prior to the audit cycle. Generally, the billing audit will be performed every year. If a significant deficiency/material weakness is identified in a billing audit between the periods of the accounting system report cycle, auditors should issue a deficiency report (as discussed earlier in the MRD) and consider whether an earlier examination of the accounting system is warranted. Any outstanding significant deficiencies/material weaknesses will be included in the next accounting system audit report. A deficiency would be considered outstanding unless the contractor has corrected the deficiency and DCAA has performed a follow-up audit and found the corrective action effective. Reporting Significant Deficiencies Identified in Other Than Business Systems Audits We have established a new Business System Deficiency Report APPS package that delivers a new report shell and a new audit program that includes procedures for preparing and issuing an audit report on business system deficiencies identified in other than a business system audit. The new package is temporarily available under two new subactivities pending the establishment of a separate Business System Deficiency Report activity code, which we expect to be available in June. The 11070 Accounting System Deficiency Report subactivity will be used to issue deficiency reports for all systems other than the estimating system and the budget and planning system. The 24010 Estimating System Deficiency Report subactivity will be used to issue deficiency reports for the estimating system and the budget and planning system. The process reflected in the new Deficiency Report Assignment audit program replaces flash reporting procedures and limited scope internal control audits. The previous OAG Report on Limited Scope Internal Control Audits has been deactivated and the guidance in CAM 10-413 on flash reporting will be revised in the near future to incorporate this guidance. When a noncompliance with the DFARS criteria is identified in other than a business system audit (e.g., incurred cost audit), a separate Business System Deficiency Report Assignment should be established using the appropriate Deficiency Report subactivity (either 11070 or 24010). The assignment description should note the system or sub-system involved. Because of the importance of timely communication of such matters, the deficiency report should be issued as soon as possible. GAGAS require auditors to report certain findings identified in an examination engagement, even when those findings are related to areas outside the specific objectives of the engagement (GAGAS 6.33 in the 2007 GAGAS Revision and GAGAS 5.20 in the 2011 GAGAS Revision). This includes, among other things, material weaknesses in internal control; deficiencies in internal control that are less severe than material weaknesses, yet important enough to merit the attention of those charged with governance; and noncompliance with provisions of regulations or contracts that have a material effect on the subject matter of the 8

examination engagement. A contractor s noncompliance with the DFARS business system criteria identified in other than business system audits (e.g., an accounting system deficiency identified during an incurred cost audit) fits within those categories. To facilitate tracking and timely resolution of noncompliances with the DFARS criteria identified in other than business system audits, DCAA will report the findings in a separate deficiency report. The Deficiency Report Assignment is an integral part of the originating GAGAS examination engagement (e.g., incurred cost audit), not a separate examination. As a result, it is not necessary to document in the deficiency report assignment many of the procedures generally required to comply with GAGAS for an examination, since the GAGAS procedures would be documented in the originating GAGAS examination engagement. The deficiency report assignment working papers will reference the originating assignment and include the working papers from that assignment that contain support for the noncompliance with the DFARS criteria. Otherwise, it generally will not be necessary to reference or incorporate other working papers from the originating assignment (e.g., related to the risk assessment). If the evaluation of the identified noncompliance with the DFARS criteria and the elements of a finding were not fully developed in the originating assignment (see CAM 10-409), the auditor should perform procedures to accomplish that as part of the Deficiency Report Assignment so as not to delay issuance of the report on the originating examination. However, such effort should generally not be extensive since the objective is not to evaluate the contractor s compliance with all aspects of the applicable DFARS criterion or criteria but only to establish whether the noncompliance identified in the originating audit is a material noncompliance; and, therefore, represents a significant deficiency/material weakness or is less severe than a significant deficiency/material weakness, yet important enough to warrant the attention of responsible contractor officials. In either case, the noncompliance will be reported in the deficiency report. Both the deficiency report and the report on the originating GAGAS examination will note that the separate deficiency report is an integral part of the examination engagement and each report will reference the other. The deficiency audit report shell provides the appropriate audit report language to be used in the circumstances covered by this guidance. We also are revising other applicable report shells (e.g., for proposal and incurred cost audits) to include appropriate language to use when noncompliances with the DFARS criteria are identified in other than business system audits. Auditors should report the results of limited scope internal control audits that are currently in process (i.e., those established under the former limited scope process) using the new deficiency report shell. The report should be added to the in-process assignment using the APPS Library Access and should be tailored appropriately for the circumstances. Auditors will need to align the significant deficiencies/material weaknesses with the new business system criteria. Alignment of the deficiencies to the new system criteria should be documented in the working papers. Any in-process flash report assignments should be converted to a deficiency report 9

assignment. Auditors should ensure that all applicable procedures from the deficiency report assignment audit program are performed in this conversion. For example, if not accomplished in the originating assignment, the identified noncompliance should be evaluated and the elements of a finding should be fully developed in the deficiency report assignment. Business System Follow-Up Audits The guidance pertaining to the performance of follow-up audits for business systems is being revised to reflect the impact of the business system rule. Accordingly, we have developed a new OAG Business System Follow-up Audit Report that is available in the APPS Library and on the DCAA Intranet. The previous OAG Follow-Up Internal Control Audit Report has been deactivated. Business system follow-up audit assignments will be established using the appropriate business system activity code, depending on the system or sub-system involved. The business system audit program should be modified appropriately to reflect the audit procedures applicable to the area(s) related to the previously reported significant deficiencies/material weaknesses. In addition, the auditor should replace the audit report shell delivered in APPS with the new OAG Business System Follow-up Audit Report, which can be added using the APPS Library Access. FAOs should initiate follow-up audits to verify the contractor s correction of previously reported business system deficiencies when the FAO is notified by the contractor (either directly or through the ACO) that it has implemented the appropriate corrective actions and sufficient transactions are available to adequately test the effectiveness of the corrective actions. What constitutes sufficient transactions will depend on factors such as the nature of the deficiency and the affected control, the frequency of the control s application, and the volume of transactions to which it is applied. When a request is received for a follow-up or any other business system audit, the applicable procedures in CAM 4-100 for a requested (i.e., demand) assignment should be followed. The new business system audit programs and the new follow-up audit report can be used to perform and report on audits of the contractor s corrective actions related to significant deficiencies/material weaknesses that were reported either prior to or after the DFARS business rule establishing specific criteria for contractor business systems was implemented. Generally, any significant deficiencies/material weaknesses identified in a previous audit will be covered under the DFARS system criteria. Therefore, if the deficiencies were reported prior to the DFARS rule, auditors will need to align the previously reported significant deficiencies/material weaknesses with the new business system criteria. Alignment of the previously reported deficiencies to the new system criteria should be documented in the working papers and reflected in the audit report Statement of Conditions and Recommendations. If FAOs are experiencing difficulties aligning the DFARS criteria to the identified deficiencies, those issues should be coordinated with the region and Headquarters Policy. 10

The scope of the follow-up audit will be limited to determining if the contractor corrected the previously reported significant deficiencies/material weaknesses and the report will opine on the effectiveness of the contractor s corrective actions. If the contractor has not corrected all of the previously reported significant deficiencies/material weaknesses, the report will state that those deficiencies result in material noncompliance with the DFARS system criteria. The follow-up audit report shell provides the appropriate follow-up audit report language to be used in the circumstances covered by this guidance. If the FAO is currently in the process of performing a full accounting system audit, corrective actions related to previously reported deficiencies generally would be tested in that audit rather than in a separate follow-up audit. CONCLUDING REMARKS The audit programs for Activity Code 17740 Preaward Survey of Prospective Contractor Accounting System and Activity Code 17741 Postaward Accounting System Audit at Nonmajor Contractors are being updated to reflect the DFARS business system criteria and will be issued shortly. FAO personnel should direct questions regarding this memorandum to their regional offices, and regional personnel should direct any questions to Auditing Standards Division at (703) 767-3274 or e-mail: DCAA-PAS@dcaa.mil. DISTRIBUTION: E /Signed/ Kenneth J. Saccoccia Assistant Director Policy and Plans 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information